Limiting the size of a HTTP post request on JBoss

java http tomcat jboss
18,596

maxPostSize defines how big a POST can get before Tomcat will "automatically" parse it, whatever that means.

If you're doing this for security reasons, you need to think twice about how you do it. A DOS attack isn't going to conveniently announce its size as an HTTP request header, it's just going to send data until your server falls over.

You could check the Content-Length header of the request, and reject it immediately if it's not present, or too big, but you run the risk of rejecting genuine clients that don't supply the header, which many won't.

Otherwise, you're just going to have to read the request data until it crosses a threshold, and then reject it.

Either way, the container can't help you much.

Share:
18,596
Aveen
Author by

Aveen

Updated on June 08, 2022

Comments

  • Aveen
    Aveen almost 2 years

    I am using Jboss 4.2.3 as an appserver. Is there a way to limit the size of the HTTP Post request accepted by JBoss? I want to limit the size to avoid DOS attacks.

    I already sat maxHttpHeaderSize and maxPostSize in the server.xml, but neither of them seem to make any difference.

  • BalusC
    BalusC about 14 years
    +1 and a DDOS attack is not only sending large data. It's also a happening of thousands of simultaneous requests at once.
  • jwenting
    jwenting almost 4 years
    this is correct for WildFly, not for JBoss classic.
  • Jerry
    Jerry almost 4 years
    Thanks @jwenting for your feedback. I'm running jboss-eap-7 standalone mode and it works, and for domain mode I have to set max-post-size for ajp-listener. Can you enlight me please?
  • jwenting
    jwenting almost 4 years
    EAP7 is the commercial version of Wildfly :) Classic is JBoss4 (and maybe 5), which have a completely different architecture. They're also very old (think 10+ years) but still in use.
  • Jerry
    Jerry almost 4 years
    Thanks @jwenting again for this info. For this old version, we should look into the manual or the source code directly.
  • jwenting
    jwenting almost 4 years
    Which is what the other 2 answers did 10 years ago :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to disable HTTP OPTIONS Method in JBoss?
Apache/mod_jk module fail to connect jboss after running some time
Could not find MessageBodyWriter for response object of type: java.util.LinkedHashMap of media type: application/json
JBoss Binding IP addresses
What can cause TCP/IP to drop packets without dropping the connection?
Is there a way to modify an HTTP request in Chrome or Firefox?
Spring Boot enable http requests logging (access logs)
Enable HTTP2 with Tomcat in Spring Boot
JAVA -tomcat- Request header is too large
How do you specify the root context in your <web-app> tags in web.xml?